We’re in a unique moment in history, where the negative consequences of organizations tracking our digital traffic are painfully clear. It’s certainly understandable that “security measures” can seem to many people more like intrusive surveillance than personal protection. But a lack of defenses will also have negative consequences for our safety and feeling of trust.
What can security professionals in higher ed do to maintain the balance between safety and privacy? Is it possible to maintain trust in the institution and yet enable users to explore safely?
The importance of context
Consider security and safety analogies in the physical realm such as security guards or checkpoints. Everyone has his or her own sense of what seems obtrusive and what is welcome. There are questions that can help predict where security measures will fall on the acceptable-to-intrusive continuum:
- Is the area being secured… a personal area? a public space? a sensitive administrative department?
- If the secured area is public, are you inspecting everyone and everything and removing whatever or whomever could be considered suspicious? Or are you checking a list for specifically dangerous people or items?
- Are the criteria decided fairly and applied equally? Are there effective methods to correct and augment the list quickly if there are errors or omissions?
- Are records kept of everyone and everything that entered and exited this area?
- Are security measures applied by an outside authority or can people apply it to protect themselves?
Generally speaking, public or personal areas are expected to operate with little to no proactive controls. As long as people have access to effective and timely reactive measures, a sense of safety can be maintained. Sensitive areas are expected to be under a certain amount of scrutiny, as long as that scrutiny is applied fairly and transparently.
Context in action
In an educational environment, there are areas that must be publicly accessible and relatively unrestricted and areas that should remain private to the individuals or groups who use that space. There are also areas that should be tightly controlled, such as financial, healthcare and administrative information.
In areas that should be tightly controlled, there are few people who would take issue with closely monitoring activities and restricting users’ ability to perform activities outside those strictly required to do those necessary, sensitive tasks. The opposite extreme would be personal repositories or computers within housing areas of your network, which should have minimal monitoring or restriction. Most other systems, machines, and users fall somewhere in between.
In unrestricted areas, it’s preferable to use a “blacklist” approach that excludes only those users, code, or machines that are predetermined to be dangerous. Logging only detected security events is generally considered tolerable and useful in this context. In restricted areas, you can add a “whitelist” via which you allow only things based on a list of “known good” users, code, or machines. Regulations may mandate the use of logging for audit purposes in these areas.
In a college or university network, the areas that must be strictly controlled should be separate from areas that are expected to operate with little restriction. This separation minimizes the ability of threats or “bad actors” to cause problems by moving from one area to another, raising the level of their access privileges as they go.
Beyond this, we can provide users with tools to protect their own personal areas, as well as education about how and when they might wish to apply them. These tools could include things like:
- Backups: Regular, tested backups should be taken in sensitive areas to limit outages caused by data-damaging malware (like ransomware), hardware failure, and other catastrophes. As basic backup functionality is freely available in all major operating systems, educating students, teachers, and staff about the benefit of taking backups could be a useful tool for decreasing your IT support costs.
- Encryption: Encryption [1] helps protect data that’s not in use from being viewed by people who shouldn’t be able to access it. This should be applied both to data on disk and data being sent to or from sensitive areas of your network. Encryption is also freely available in major operating systems, as well as many popular communication apps. You may want to let your users know about these resources so they can help protect themselves.
- Authorization lists: Authorization lists assign users permissions for what resources they can access. You should maintain these lists in sensitive areas, and users can also use these to limit access to certain people or groups over time (such as research that should not be publicly available before a certain date).
• Multi-factor authentication tools: Many data breaches are caused by or result in lost login credentials. One of the best ways to mitigate the damage is to implement a second factor of authentication [2] (verifying that users are who they say they are). Many online services already make this functionality available, and it’s a cost-effective tool, thanks to the amount of risk-mitigation it offers, to add to other login processes.
In general, people aren’t opposed to security, but rather to the loss of personal control it often implies. By understanding the context of the controls, and enabling users to protect their own resources, we can make security measures more palatable.